Honeypots mailing list archives

Re: Honeypot/net IDS System

From: "Michael" <michael () insulin-pumpers org>
Date: Tue, 24 Feb 2004 16:27:12 -0800

----- Original Message -----

I'm puzzled by everyone's interest in "fake honeypot" systems. I've run a
couple of them for several years and there is almost NO traffic even
though I have a bunch of email addy's on web pages for spamscrapers to
find.


Ah. But are they on sites that people are likely to find?

Even with my modest site, I had the first honeytoken () codecutters org
message within 24 hours.

Of the 16,722 messages rejected by the SMTP server/honeypot, a full
7,804 have been to the two honeypot addresses. Of these, 144
messages were stopped
*only* because of the address (which is basically the purpose of the
honeypot, along with keeping the filters up-to-date!)

All of this would be fairly pointless if the bot isn't fooled into
taking the bait... ;o)

Regards,

Ian Baker
Webmaster, codecutters.org


I think you made my point.

We get about 100 or less legit message a day (site traffic stats at:
http://www.insulin-pumpers.org/images/traffic-ip.gif)
out of roughly 3000 attempted deliveries (averages for last 20 days). 
Of these about 30-50 slip by that are spam and are re-routed to the 
tarpit, for all the remaining almost 3000, the remote server 
delivering them ends up in the tarpit. That is a substantially higher 
ratio than you show above. You get less than 50% efficiency, I get 
98% or basically all that can be identified as spam using DNSBL's or 
filtering, manual or otherwise.

The tarpit in question is not an smtp dummy, but a true TCP/IP tarpit 
that slams the transmission window shut and hangs on to the server 
until it gives up or times out., this is sometime days.... and... it 
is a single thread for all trapped messages.

The interesting thing about this tarpit is that once the IP is added 
to the database,  since there is no more traffic, additional attempts 
at delivery are not even seen so the 60k number is probably higher 
than indicated by quite a bit. 

See our stats page at http://www.spamcannibal.org/dnsbl_stats.shtml

You can see that the MTA rejects lead the tarpit stats by a fair 
percentage for both systems. This is the traffic where the source 
attempts more than one transmission before the batch job puts the IP 
address in the tarpit. There is an average 7-10 minute access delay 
caused by the cron task that run every 15 and 20 minutes, 
respectively on the two systems to check for bad IP addresses.

Michael
Michael () Insulin-Pumpers org

Current thread:

Honeypot/net IDS System Daniel Roth (Feb 22)
- Re: Honeypot/net IDS System Michael Robinton (Feb 22)
  - Re: Honeypot/net IDS System captgoodnight (Feb 22)
  - RE: Honeypot/net IDS System Aditya, ALD [Aditya Lalit Deshmukh] (Feb 24)
    - RE: Honeypot/net IDS System Michael (Feb 24)
    - RE: Honeypot/net IDS System ravivsn (Feb 24)
    - RE: Honeypot/net IDS System Michael (Feb 25)
    - Re: Honeypot/net IDS System Valdis . Kletnieks (Feb 25)
    - Re: Honeypot/net IDS System Ian Baker (Feb 24)
    - Re: Honeypot/net IDS System Michael (Feb 25)
    - RE: Honeypot/net IDS System Aditya, ALD [Aditya Lalit Deshmukh] (Feb 27)
    - RE: Honeypot/net IDS System Michael (Feb 27)
    - Re: Honeypot/net IDS System Niels Provos (Feb 27)